diff --git a/content/posts/infosec/europe-stronger-privacy-laws.md b/content/posts/infosec/europe-stronger-privacy-laws.md new file mode 100644 index 0000000..036d780 --- /dev/null +++ b/content/posts/infosec/europe-stronger-privacy-laws.md @@ -0,0 +1,26 @@ +--- +title: "Europe's stronger privacy laws" +date: 2016-10-03T22:47:00+06:00 +draft: false +tags: ["data privacy","GDPR",""] +author: "Olivier Falcoz" +hidemeta: false +ShowReadingTime: true +ShowPostNavLinks: true +showtoc: false +cover: + image: "/images/" + alt: "" + caption: "" +--- +Web firms face a strict new set of privacy rules in Europe, [here’s what to expect](https://old.gigaom.com/2014/03/12/web-firms-face-a-strict-new-set-of-privacy-rules-in-europe-heres-what-to-expect/) (GigaOm): + +* EU privacy rules apply to the processing of EU citizens’ data, even if that data is processed in another country. +* A court or tribunal in a country outside the EU may not demand the transfer or disclosure of an EU citizen’s personal data (as with the previous point, enforcing this one would be fun). +* Fines for not following this regulation could be as high as €100 million or up to five percent of an enterprise’s annual turnover, whichever is larger. In other words, the likes of Google would face much higher fines for privacy breaches than the paltry sums they have to pay today, making EU law much harder to ignore. +* People must consent to having their personal data processed, and must be able to withdraw that consent as easily as they give it. This would create a culture of opting in, rather than today’s norm of opting out. +* People have the right to get their personal data from someone who holds it, in a commonly used, interoperable electronic format. This would be a victory for campaigners such as Europe v Facebook. +* Because the regulation harmonizes EU data protection law, EU citizens who want to complain about the violation of their privacy rights in any EU member state can approach the local data protection regulator in a member state of their choice. This makes it a lot easier to bypass the fact that U.S. web firms base their European operations in Ireland, which has relatively light-touch privacy regulation. Again, a win for campaigners. +* Organizations processing people’s data must provide standardized information policies to explain what they’re doing with it and why. +* People have the right to have their personal data erased (with public interest exceptions, so journalists can probably rest easy). This includes data passed on to third parties. +* People can object to being visibly profiled in a way that could discriminate against them on the basis of race, political beliefs, sexual orientation and so on, and the organizations processing their data must make sure this discrimination doesn’t occur. diff --git a/content/posts/infosec/every-move-you-make.md b/content/posts/infosec/every-move-you-make.md new file mode 100644 index 0000000..43aa178 --- /dev/null +++ b/content/posts/infosec/every-move-you-make.md @@ -0,0 +1,30 @@ +--- +title: "Every Move You Make" +date: 2016-09-11T16:50:00+06:00 +draft: false +tags: ["data privacy","surveillance","three-letter-agencies"] +author: "Olivier Falcoz" +hidemeta: false +ShowReadingTime: true +ShowPostNavLinks: true +showtoc: false +cover: + image: "/images/" + alt: "" + caption: "" +--- +![Every Move You Make](/images/every-move-you-make.jpg "Over eight years, Barack Obama has created the most intrusive surveillance apparatus in the world") + +**Over eight years, Barack Obama has created the most intrusive surveillance apparatus in the world. To what end?** + +> From 22,300 miles in space, where seven Advanced Orion crafts now orbit; to a 1-million-square-foot building in the Utah desert that stores data intercepted from personal phones, emails, and social media accounts; to taps along the millions of miles of undersea cables that encircle the Earth like yarn, U.S. surveillance has expanded exponentially since Obama’s inauguration on Jan. 20, 2009. The effort to wire the world has cost American taxpayers more than $100 billion. +> +> America’s intelligence culture has grown frenzied. Agencies are ever thinking to get bigger, move faster and pry deeper. +> +> Into the NSA's Bluffdale, Utah, facility would flow email, texts, tweets, financial records, Facebook posts, YouTube videos and telephone chatter. +> +> Quantum computing could be a game-changer in U.S. Intelligence. It would break the last line of defense against government intrusion. +> +> How big is too big, though, is a question the outgoing president has never answered fully. At what point does gathering data become an end in itself, rather than a means to an end? + +-- By [James Bamford](https://foreignpolicy.com/author/james-bamford/), in [Foreign Policy](https://web.archive.org/web/20160908220910/https://foreignpolicy.com/2016/09/07/every-move-you-make-obama-nsa-security-surveillance-spying-intelligence-snowden/). diff --git a/content/posts/infosec/facebook-does-not-connect-people-together.md b/content/posts/infosec/facebook-does-not-connect-people-together.md new file mode 100644 index 0000000..b9d56ce --- /dev/null +++ b/content/posts/infosec/facebook-does-not-connect-people-together.md @@ -0,0 +1,32 @@ +--- +title: "Facebook does not connect people together" +date: 2017-03-03T09:50:00+06:00 +draft: false +tags: ["tech","social media","surveillance","facebook"] +author: "Olivier Falcoz" +hidemeta: false +ShowReadingTime: true +ShowPostNavLinks: true +showtoc: false +cover: + image: "" + alt: "" + caption: "" +--- + +**Facebook does not connect people together; Facebook connects people to Facebook, Inc.** + +## [Encouraging individual sovereignty and a healthy commons](https://ar.al/notes/encouraging-individual-sovereignty-and-a-healthy-commons/) +> +> **Abstract**: Facebook’s business model is to be the man in the middle; to track every move you, your family, and your friends make, to store all that information indefinitely, and continuously analyse it to understand you better in order to exploit you by manipulating you for financial and political gain. +> +> Facebook isn’t a social network, it is a scanner that digitises human beings. It is, for all intents and purposes, the camera that captures your soul. Facebook’s business is to simulate you and to own and control your simulation, thereby owning and controlling you. + +An alternative is possible [though - if not too late: + +> +> **A healthy economy built upon an ethical core.** +> +> Interoperability, free (as in freedom) technology with “share alike” licenses, a peer-to-peer architecture (as opposed to client/server), and a commons-funded core are the fundamental safeguards for preventing this new system from decaying into a new version of the monopolistic surveillance web we have today. +> +> -- [Aral Balkan](https://ar.al/), *cyborg rights activist* \ No newline at end of file diff --git a/content/posts/infosec/facebook-is-censoring-posts-in-thailand.md b/content/posts/infosec/facebook-is-censoring-posts-in-thailand.md new file mode 100644 index 0000000..b4783a7 --- /dev/null +++ b/content/posts/infosec/facebook-is-censoring-posts-in-thailand.md @@ -0,0 +1,23 @@ +--- +title: "Facebook is censoring posts in Thailand" +date: 2017-01-12T14:14:00+06:00 +draft: false +tags: ["social media","censorship","asia","thailand", "facebook"] +author: "Olivier Falcoz" +hidemeta: false +ShowReadingTime: true +ShowPostNavLinks: true +showtoc: false +cover: + image: "/images/" + alt: "" + caption: "" +--- + +> Facebook CEO Mark Zuckerberg is driven by [a vision of “connecting the world”](https://www.facebook.com/zuck/posts/10100933624710391) and, though [he has said a compromise is necessary](https://techcrunch.com/2016/11/22/chinabook/) in the case of countries like China where free speech is restricted, it is hard to see how that vision fits with kowtowing to a law that has gotten [Thai people jailed for Facebook comments](https://news.vice.com/article/young-people-in-thailand-are-going-to-jail-for-facebook-comments), or [even merely receiving a message](http://www.independent.co.uk/news/world/asia/thailand-woman-prison-two-word-facebook-message-reply-a7022116.html) on the social network. +> +> Facebook is blocking content from a number of users following an apparent request from the government. Thailand’s lèse-majesté law prevents criticism of the country’s royal family, and it looks like it is being used to suppress postings from a number of high-profile users who are writing about the transition to a new king, including journalist Andrew MacGregor Marshall. His 2014 [book on the Thai royal family](http://www.telegraph.co.uk/travel/destinations/asia/thailand/articles/Thailand-bans-Britons-book-that-defames-monarchy/) was banned and branded a “danger to national security and peaceful and orderly society.” +> +> This isn’t the first instance of the social network upholding local law in Thailand. “Internet freedom declined in 2016 as the military leadership continued its efforts to codify censorship and surveillance powers through legislation,” Freedom House wrote. +> +> -- TechCrunch in [Facebook is censoring posts in Thailand that the government has deemed unsuitable](https://techcrunch.com/2017/01/11/facebook-censorship-thailand/) \ No newline at end of file diff --git a/content/posts/infosec/francetravail-ou-la-startup-nation-a-l-oeuvre.md b/content/posts/infosec/francetravail-ou-la-startup-nation-a-l-oeuvre.md new file mode 100644 index 0000000..183bf6b --- /dev/null +++ b/content/posts/infosec/francetravail-ou-la-startup-nation-a-l-oeuvre.md @@ -0,0 +1,61 @@ +--- +title: "France Travail ou la 'Start-up nation' à l’œuvre" +date: 2024-03-14T11:45:00+06:00 +draft: false +tags: ["data privacy","infosec","data breach","RGPD", "CNIL"] +author: "Olivier Falcoz" +hidemeta: false +ShowReadingTime: true +ShowPostNavLinks: true +showtoc: false +cover: + image: "/images/" + alt: "" + caption: "" +--- + +![France Travail laisse fuiter les données de 33 millions de personnes](/images/france-travail-se-distingue-en-cybersecurite.png "France Travail laisse fuiter les données de 33 millions de personnes") + +Chez le tout nouveau *France Travail* (ex- Pôle Emploi, ex- ANPE) il y a ceux qui font leur boulot[^1] et puis il y a [les autres](https://web.archive.org/web/20240313183337/https://www.francetravail.org/accueil/communiques/2024/france-travail-et-cap-emploi-victimes-dune-cyberattaque.html?type=article), notamment ceux du service SSI[^2] qui devaient avoir aqua-poney le jour où la solidité du tout nouveau site web et de son *backend* a été éprouvée. Si elle l'a été, ce dont vous me permettrez de douter (voir plus bas). + +## 43 millions de Français impactés + +*France Travail*, sans doute animée par le souci de démontrer que ~~la gabegie~~ le budget alloué à son *rebranding* ne l'a pas été en vain, réussit à battre la précédent record détenu jusqu'à présent par le duo Viamedis et Almerys qui avaient *laissé fuiter* les données personnelles de plus [33 millions de personnes](https://cnil.fr/fr/violation-de-donnees-de-deux-operateurs-de-tiers-payant-la-cnil-ouvre-une-enquete-et-rappelle-aux) (état civil, date de naissance, numéro de sécurité sociale, nom de l’assureur santé, garanties du contrat souscrit - Février 2024). Notons que Pôle Emploi avait déjà *égaré* les données de [10 millions de personnes](https://archive.wikiwix.com/cache/index2.php?url=https%3A%2F%2Fwww.latribune.fr%2Ftechnos-medias%2Finformatique%2Fpole-emploi-les-donnees-personnelles-volees-a-10-millions-de-chomeurs-sont-en-vente-sur-le-darknet-973944.html#&) en 2023. + +L'affaire est suffisamment grave cette fois pour qu'on ait pris la peine de [sortir la CNIL de sa sieste](https://www.cnil.fr/fr/france-travail-la-cnil-enquete-sur-la-fuite-de-donnees-et-donne-des-conseils-pour-se-proteger). + +## Les données *exposées* + +> Compte tenu des investigations techniques menées, les données personnelles d’identification (DPI) exposées sont: nom et prénom, date de naissance, numéro de sécurité sociale, identifiant France Travail, adresses mail et postale et numéros de téléphone -- *[France Travail](https://www.francetravail.org/accueil/communiques/2024/france-travail-et-cap-emploi-victimes-dune-cyberattaque.html?type=article)* + +Et de souligner en gras que: +> Les mots de passe et les coordonnées bancaires ne sont pas concernés par cet acte de cybermalveillance. Il n’existe donc aucun risque sur l’indemnisation. + +Effectivement, il ne reste plus grand chose à *égarer* à part les détails bancaires, toutes les DPI étant déjà dans la nature. + +## Un site tout pété + +Chez les gens un tant soit peu sérieux, il est de coutume de tester la solidité d'un site avant de le mettre en production; il faut croire que *France Travail* ~~n'y a pas pensé~~ n'a eu ni le temps ni les ressources pour le faire. Des outils simples existent pour cela, qui offrent un aperçu de la posture cybersécurité d'une site web (TLS, ciphers, PFS, HTTPS, etc.) à compléter évidemment par des audits en profondeur des interactions que le site peut avoir avec les applications tierces, l'évaluation de la surface d'attaque, les réactions en cas de crise, etc. Mais commençons par le commencement. + +![Score pitoyable de francetravail.fr au Mozilla Observatory](/images/francetravail-fr-et-son-score-pitoyable-en-cybersecurite.png "Score pitoyable de francetravail.fr au Mozilla Observatory") + +Le [Mozilla Observatory](https://observatory.mozilla.org/analyze/francetravail.fr) leur décerne un score pitoyable de 5/100 (au 14 Mars 2024). + +Outre le vénérable [Mozilla Observatory](https://observatory.mozilla.org) d'autres sites tels [cryptcheck.fr](https://cryptcheck.fr/) de l'excellent [@aeris](https://imirhil.fr/), [securityheaders.com](https://securityheaders.com/), [internet.nl](http://internet.nl/), [hardenize.com](https://hardenize.com) `testssl.sh (CLI)`et beaucoup d'autres permettent d’évaluer en quelques minutes la solidité d'une application exposée au Web (*web-facing app* comme disent nos adversaires légendaires au rugby). Si la vitrine est aussi vilaine, je n'ose imaginer la tête de l'arrière-cour. Mais *France Travail manque de ressources* vous dit-on. Pourtant il devrait être possible de trouver facilement des profils de développeurs Web non? Parmi 43 millions de profils... + +Mais comme *France Travail* n'est probablement pas du genre à admettre qu'ils sont simplement mauvais, une petite phrase en fin de communiqué leur permet de se défausser sur les [nombreux partenaires](https://fr.wikipedia.org/wiki/France_Travail#Recours_aux_op%C3%A9rateurs_priv%C3%A9s_(OPP)) à qui les données sont transmises: + +> Dès la connaissance avérée de cette intrusion, nous avons pris des mesures complémentaires pour renforcer nos dispositifs de protection des accès à nos applicatifs par nos partenaires -- *C'est pas nous, promis!* + +## Porter plainte + +Une fois n'est pas coutume, les Gendarmes de l'Internet français nous informent qu'il est possible de porter plainte: + +> Comme le prévoit notamment le RGPD[^3], France Travail informera individuellement l’ensemble des personnes concernées par cette violation de données personnelles. Les personnes concernées par cette violation de leurs données personnelles ont la possibilité de déposer plainte en utilisant le formulaire de [lettre-plainte en ligne](https://www.demarches-simplifiees.fr/commencer/lettre-plainte-suite-a-la-fuite-de-donnees-france-travail) -- cybermalveillance.gouv.fr + +Ils risquent d'avoir un peu de travail si 43 millions de Français décident de porter plainte. Imaginons qu'il leur faille embaucher; c'est *France Travail* qui serait content. + + +[^1]: *Ahem, quoique* vous diront certains mais c'est un autre - et très vaste - sujet +[^2]: Sécurité des Services d'Information +[^3]: Règlement Général sur la Protection des Données - [Wikipedia](https://fr.wikipedia.org/wiki/RGPD) \ No newline at end of file